Security researcher: Apple shuts developer sites after flaw report

The developer centers for Apple’s two operating systems – iOS for mobile and OS X for desktops – have been offline since Thursday. Apple originally said the sites were down for maintenance that was taking longer than expected, but now we know what really happened.

The two centers had a security flaw that allowed someone to gain unauthorized access to users’ names, along with street and email addresses. No payment data was accessed, Apple says.

The company finally fessed up to the breach in a note posted Sunday, saying it is reworking its systems, software and a database to prevent similar incidents in the future.

Now it turns out the “intruder” actually may have been a security researcher who spotted the flaw and then reported it to Apple. Ibrahim Balic insists he wasn’t hacking Apple, but rather discovered the issues, investigated it and then alerted the company via its own bug-reporting system.

On top of that Balic, who lives in London, posted a video showing the flaw in action, complete with dramatic music. [Update: Balic says on Twitter that he’s taken the video down, as it showed some users’ names and email addresses.]

Balic insists his intentions were good, and in a comment posted to a TechCrunch story about the breach, says Apple’s developer centers went down shortly after he reported the flaw. He’s upset about being labeled as a hacker and worries he’ll be blacklisted.

4 hours later from my final report Apple developer portal gas closed down and you know it still is. I have emailed and asked if I am putting them in any difficulty so that I can give a break to my research. I have not gotten any respond to this… I have been waiting since then for them to contact me, and today I’m reading news saying that they have been attacked and hacked. In some of the media news I watch/read that whether legal authorities were involved in its investigation of the hack. I’m not feeling very happy with what I read and a bit irritated, as I did not done this research to harm or damage. I didn’t attempt to publish or have not shared this situation with anybody else. My aim was to report bugs and collect the datas for the porpoise of seeing how deep I can go within this scope. I have over 100.000+ users details and Apple is informed about this. I didn’t attempt to get the datas first and report then, instead I have reported first.

The breach comes at a critical time. Apple is in the middle of beta trials of new versions of iOS and OS X, and developers use the sites to download new test releases and to access app-creation tools. In addition, the sites host systems that allow developers to sign up for and renew dev center memberships. Apple says memberships set to expire while the sites are down will get free extensions.

If Balic’s story is true, it sounds like Apple should be thanking him. Better a researcher find the flaw than someone whose motivations are less than pure.

If Balic really took 100,000 users’ details, that is the actions of a black hat and should be punished accordingly. It’s no different than a thief robbing a bank vault and then posting a video of the loot saying the vault had a security weakness.

“Better a researcher find the flaw than someone whose motivations are less than pure.”

The thing is, there’s no way to know if Balic really was the first to find the vulnerability; we only know that he was the first to announce it. Black-hat types who discover such a vulnerability are likely to quietly exploit it as long as they are able; they’re not going to tell Apple, make a YouTube video or tweet about what they’ve done.